The Apache HTTP Server is one of the most stable and secure services that ships
with Red Hat Enterprise Linux. There are an overwhelming number of options and techniques
available to secure the Apache HTTP Server — too numerous to delve into
deeply here.

It is important when configuring the Apache HTTP Server to read the documentation
available for the application. This includes the chapter titled
Apache HTTP Server in the Red Hat Enterprise Linux Reference Guide,
the chapter titled Apache HTTP Server Configuration in the
Red Hat Enterprise Linux System Administration Guide, and the Stronghold manuals, available
at https://www.redhat.com/docs/manuals/stronghold/.

Below is a list of configuration options administrators should be
careful using.

The UserDir directive is disabled by
default because it can confirm the presence of a user account on the
system. To enable user directory browsing on the server,
use the following directives:

UserDir enabled
UserDir disabled root

These directives activate user directory browsing for all user
directories other than /root/. To add
users to the list of disabled accounts, add a space delimited list of
users on the UserDir disabled line.

By default, the server-side includes module cannot execute
commands. It is ill advised to change this setting unless absolutely
necessary, as it could potentially enable an attacker to execute
commands on the system.